Security: NIST 800-131a compliance with IBM Sterling B2B Integrator

Body

Security: NIST 800-131a compliance with IBM Sterling B2B Integrator

Author: Manisha Khond, IBM

NIST 800-131a compliance strengthens security by defining stronger cryptographic keys and more robust algorithms.

Refer to the link for details on NIST 800-131a compliance: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-131a.pdf

Sterling B2B Integrator works in two security compliance modes:

• Non-NIST 800-131a compliance (default mode)
• Strict NIST 800-131a compliance

In order to enforce Strict NIST 800-131a compliance, it has to be enabled.

The following applies to all adapters, services and components when working in NIST 800-131a compliance mode:

• If an adapter, service, or component is configured with non-NIST 800-131a compliant information, the configuration summary page for that component will indicate non-NIST compliance. To maintain compliance, you must re-configure the adapter, service, or component with NIST 800-131a compliance information.
• When you re-configure an adapter, service, or component, it forces the usage of NIST 800-131a compliance information; therefore, any non-NIST 800-131a compliance information will not be available.
• If an adapter or service is configured with non-NIST 800-131a compliance information, it is disabled; you can not restart it without reconfiguration with information that supports NIST 800-131a compliance.
• In strict NIST 800-131a compliance mode, only TLS 1.2 can be used.
• Algorithms and key strengths that are not allowed for strict NIST 800-131a compliance include:

RSA keySize < 2048

DSA keySize < 2048

EC keySize < 224

SHA1

SHA-1

MD2

MD4

MD5

RC2

RC4

DES

Steps to use NIST compliance:

• To enable NIST 800-131a compliance mode, edit <install_dir>/properties/sandbox.cfg for the parameter below:

NIST_MODE=strict

or

NIST_MODE=transition

Go to the <install_dir>/bin directory

Stop the application

Then run the command: 

./setupfiles.sh (Unix / Linux)

setupfiles.cmd (Windows)

Restart IBM Sterling B2B Integrator.

• Re-configure components for NIST 800-131a compliance.

If an error appears because a certificate or cipher strength utilized is not strong enough for NIST 800-131a compliance, you will need to re-configure it.

Once you re-configure the component for NIST 800-131a compliance, the adapter, service or system component will be re-enabled for use.

Using adapters with SSL in NIST 800-131a compliance mode.

• Only the Strong Cipher Suites can be used in the Strict mode.
• Use the parameter NISTCompliantCipherSuite in security.properties to view a list of NIST 800-131a compliant cipher suites. Do not modify NISTCompliantCipherSuite entry.

Below is the list of NIST Compliant Cipher Suites.

TLS_RSA_WITH_AES_128_CBC_SHA,

TLS_RSA_WITH_AES_256_CBC_SHA,

TLS_RSA_WITH_3DES_EDE_CBC_SHA,

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,

TLS_RSA_WITH_AES_128_CBC_SHA256,

TLS_RSA_WITH_AES_256_CBC_SHA256,

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

TLS_RSA_WITH_AES_128_GCM_SHA256,

TLS_RSA_WITH_AES_256_GCM_SHA384,

SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,

SSL_DHE_RSA_WITH_AES_256_GCM_SHA384

Client adapters with TLS.

• If a client adapter is configured with a non-NIST 800-131a compliant system certificate, CA certificate, or cipher strength in strict mode, the communication to the server will fail.
• If you receive an error, you must re-configure the adapter for NIST 800-131a compliance.

TLS Version.

• In strict mode, the parameter SSLHelloProtocolForNISTStrict in security.properties controls TLS versions used. It is set to TLS1.2-ONLY and should not be changed if NIST 800-131a strict compliance is used.
• If Trading Partner does not support TLS 1.2, the communication will fail using NIST 800-131a strict compliance.

Import and export certificate considerations

• Import

When using IBM Sterling B2B Integrator in strict mode, non-NIST 800-131a compliance certificates are not imported into the system, even when using a command line script, import.sh.

When a non-NIST 800-131a compliance certificate is used, the import report will indicate that a failure occurred with the non-NIST 800-131a compliance certificate listed.

If you are using the IBM Sterling B2B Integrator user interface to import a non-NIST 800.131a compliant certificate, an error message appears indicating that the certificate is not compliant.

• Export

You can export all certificates regardless of NIST 800-131a compliance.

Certificate Validation in Auth Chain for NIST 800-131a compliance mode

1. If you are running IBM Sterling B2B Integrator in NIST 800-131a strict mode and if any certificate has the Auth Chain flag enabled, then all certificates in its chain (root certificates) must be NIST 800-131a compliant for successful validation.

• If one or more certificates in the auth chain are not NIST 800-131a compliant, an error message appears on the summary page of the certificate indicating they are not NIST 800-131a compliant and you will be unable to use this certificate in NIST 800-131a compliance mode.

Note: Auth Chain flag should not be enabled for self-signed certificates.

Functionality in IBM Sterling B2B Integrator supporting NIST 800-131a compliance.

EBXML, SFTP, FTP, MSMQ, AS2, OSCP, EBICS Client, EBICS Server, Connect:Direct, PGP, MQFTE, SFG, Rosettanet, CLA2, OFTP, JMS, WebSphere MQ Adapters/Services.

Can the NIST compliance be disabled?

Answer is Yes. To disable NIST compliance reverse the steps. Edit the sandbox.cfg and set the falg to "Off":

NIST_MODE=off

Go to the <install_dir>/bin directory

Stop the application

Then run the command: 

./setupfiles.sh (Unix / Linux)

setupfiles.cmd (Windows)

Restart IBM Sterling B2B Integrator.

Do you have questions or comments on the blog?

Please submit questions or comments via Comments section.